We frequently get enterprise customers who are deploying Azure AD B2C for their consumer identity needs and have to carefully consider how their customer helpdesk needs to be prepared to deal with the transition to a new consumer identity platform.
Azure AD B2C and most other CIAM products are designed to be truly self-service. This means that you can reasonably expect your customers to be able to change or reset their passwords, edit profile information, select or update their multi-factor authentication options and such. However, depending on your user demographic, you might still need to figure out a helpdesk strategy. If your helpdesk has been trained up on your authentication screens, they should be able to unblock a large majority of user issues with some on-the-phone handholding, but there are still some account service requests that crop up that need ‘power tools’.
When it comes to help-desk ‘power tools,’ your two options with Azure AD B2C are to use the built-in administrator UI in the Azure portal or build your own custom admin experience.
Use The Azure Portal
The easiest option is to just have your help-desk agents use the Azure Portal to make user updates. Here’s what you would need to do to set this up:
- Create a help-desk group in your employee Azure AD tenant and add the help-desk administrators to that group.
- Add the helpdesk group to the User Administrators role in Azure AD B2C.
- Your help-desk users will get an invitation to participate in the Azure AD B2C tenant. Once they have accepted the invite, they will be able to log in to the Azure Portal, navigate to the Azure AD B2C tenant, and make user profile updates.
Here are some of the pros and cons of this approach to consider:
- The Azure Portal is free to use, and no additional development is required
- Almost all help-desk tasks can be carried out using the Azure Portal
- Administrative features are constantly being updated in the platform
- Azure Portal UI is designed to be the single management portal for all Azure assets such as virtual machines, API services and more. Your helpdesk needs to be trained to navigate to the Azure AD B2C blade and ignore other Azure assets they don’t have access to even if they’re visible in the portal UI.
- While built-in user attributes such as the user’s name, address and such can be updated through the portal, you can’t update custom user attributes you may have defined and collected from your users. While these scenarios are less common, you will need to use the MS Graph API to resolve such issues.
- The user profile management UI for Azure AD B2C is modeled off the management UI for corporate/employee Azure AD tenants. As a result, some functionality that shows up in the user profile such as license assignments, device management, and a few other features are not applicable to Azure AD B2C and can be confusing.
Build An Admin Portal
The Microsoft Graph is a powerful set of APIs that allows you to fully manage and maintain your Azure AD B2C tenant and end-user data. You can wrap the Graph API calls into an administrative portal that is purpose-built for your helpdesk, has escalation paths documented, and is branded for your company. Setting up a custom admin portal involves the following high-level steps:
- Design the front-end for the administrative portal with the core functionality you want to provide your help-desk users
- Stand up an API service in Azure or another cloud host and write APIs that can be called from the admin portal. These APIs will in-turn, make service-to-service MS Graph calls to perform user update tasks
- Gate-keep access to the administrative portal by using Azure AD (or your existing employee management system) so that only valid help-desk users have access.
- Can be designed to be light-weight and tailored to the specific help-desk scenarios your customers have
- Since the back end is powered by Graph, there are no limits to the complexity of help-desk enablement scenarios that can be built
- This is a new service/portal that needs to be maintained and managed
- Adds to total engineering cost
In our experience, the choice really depends on your timeline, breadth of helpdesk scenarios, and budget. Drop us a note at firstname.lastname@example.org if you’d like to talk some more about admin portals and how to set them up.